Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
stuart2020
Participant

Site 2 Site VPN send traffic across multiple tunnels

Hello Everyone,

We have a CheckPoint firewall running R77.30 (we are in the process of upgrading to R80.40) which has 2 VPN star communities configured to 2 external 3rd Party companies. These VPNs work correctly (one is a Cisco ASA and the other a Sonicwall) for traffic accessing the LAN services within each star community. A new requirement has arisen where the 3rd party at site A needs to be able to access a service hosted at site B. The 3rd parties are not be able to have their own direct VPN connection so traffic will traverse the CheckPoint firewall.

VPN.PNG

 

Encryption Domains:

CheckPoint Firewall:

Local: 192.168.0.0/24

Remote Encryption Domain Site A: 192.168.2.0/24

Remote Encryption Domain Site B: 192.168.4.0/24

Site A Firewall:

Local: 192.168.2.0/24

Remote Encryption Domain: 192.168.0.0/24

Site B Firewall:

Local: 192.168.4.0/24

Remote Encryption Domain: 192.168.0.0/24

I have tested creating the below NAT rule: (Disable NAT inside the VPN community is unchecked in both communities)

Source IP: 192.168.2.10 > Destination IP: 192.168.0.10 > Source NAT: 192.168.0.10 > Destination NAT: 192.168.4.10

The packet from site A will decrypt on the CheckPoint, apply the source / dest NAT and hit the firewall rule configured to allow traffic to the site B VPN tunnel. The packet is Accepted but not Encrypted so doesn’t traverse the site B VPN. I think this is due to the pre-NAT destination IP - 192.168.0.10 being defined in the CheckPoint local VPN encryption domain.

Is this option possible or should it be done a different way? I don’t know how I can send traffic across as I would need to add the site B remote encryption network into the CheckPoint local encryption domain. 

Any suggestions or thoughts would be appreciated.

Thank you. 

0 Kudos
2 Replies
G_W_Albrecht
Legend
Legend

First i would wait until the R80.40 Upgrade was finished successfully. Second, if you would have to configure the same for three CP GWs i would have gladly provided the reference (Directional VPN Enforcement using vpnroute.conf, see Site to Site VPN R80.40 Administration Guide p.153ff) - but for Cisco and SonicWall i have no idea at all.

0 Kudos
stuart2020
Participant

Due to timings this might need to be resolved before the R80.40 upgrade is completed which is still in the technical planning phase. 

In R77.30 is it not possible to decrypt traffic from a S2S VPN and then re-encrypt to send out over a different S2S VPN tunnel?

Looking at the R80.40 Administration guide local encryption domains can now be defined per community. Will this resolve the limitation of having a single local encryption domain for all communities with a pre NAT destination IP in both the VPN peer and local VPN encryption domains?

0 Kudos